CLAIMS 

What is claimed is: 

1 . A system comprising: 

at least a first input mechanism to receive first multi-factor authentication 
data associated with Z authentication factors; 

a cryptographic engine to encrypt the first multi-factor authentication data; 

a separated user authentication, non-volatile data store to store the 
encrypted first multi-factor authentication data; and 

a first processing unit to determine whether second authentication data 
received via the at least first input mechanism matches a subset of the first multi- 
factor authentication data, the second authentication data associated with N 
authentication factors where N is less than or equal to Z. 

2. The system of claim 1 wherein the first input mechanism includes 
at least one biometric input mechanism. 

3. The system of claim 1 further including 

a Trusted Platform Module, the cryptographic engine being included in the 
Trusted Platform Module. 

4. The system of claim 1 wherein the first processing unit is one of a 
microprocessor, a digital signal processor, and an embedded processor. 
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'5. The system of claim 4 wherein the first processing unit implements 
a security technology to provide for protected execution. 

6. The system of claim 4 further including a second processing unit 
separate from the first processing unit. 

7. A system comprising: 

a first processor to execute instructions; 

a first non-volatile memory to store instructions to be executed by the 
processor; 

a bus coupled to the processor and the first non-volatile memory to 
communicate information; and 

a user authentication sub-system coupled to the bus, the user 
authentication sub-system including: 

a user authentication input module to receive first user 
authentication data; 

a second, separated non-volatile memory to store an encrypted 
version of the first user authentication data; and 

a second user-authentication processor to determine whether 
second user authentication data matches at least a corresponding subset 
of the first user authentication data. 
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8. The system of claim 7 wherein the user authentication sub-system 
further includes 

a cryptographic engine to encrypt the first user authentication data prior to 
storage. 

9. The system of claim 8 wherein the cryptographic engine is included 
in a trusted platform module. 

10. The system of claim 7 wherein the user authentication input 
module is to receive first authentication data including at least one biometric 
authentication factor. 

1 1 . The system of claim 1 0 wherein the first authentication data 
includes Z authentication factors and the second authentication data includes N 
authentication factors where N is less than Z. 

12. The system of claim 7 wherein the second non-volatile memory is 
physically separated from the first non-volatile memory. 

13. The system of claim 7 wherein the second non-volatile memory is 
logically separated from the first non-volatile memory. 
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14. A method comprising: 

receiving first multi-factor authentication data at a user-authentication sub- 
system; 

decrypting second multi-factor authentication stored in a separated non- 
volatile memory; and 

determining whether the first multi-factor authentication data matches at 
least a corresponding subset of the second multi-factor authentication data. 

1 5. The method of claim 14 further comprising: 

granting access to a resource if the first multi-factor authentication data 
matches at least a corresponding subset of the second multi-factor 
authentication data; and 

denying access to the resource if the first multi-factor authentication data 
does not match at least a corresponding subset of the second multi-factor 
authentication data. 

1 6. The method of claim 1 5 further comprising: 

requesting the first multi-factor authentication data in response to an 
attempt to access the resource. 

17. The method of claim 14 wherein receiving first multi-factor 
authentication data includes receiving at least one biometric data input type. 
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18. The method of claim 14 further comprising 
receiving the second multi-factor authentication data; 
encrypting the second multi-factor authentication data; and 

storing the second multi-factor authentication data in the separated, non- 
volatile memory. 

1 9. The method of claim 1 4 wherein 

determining whether the first multi-factor authentication data matches at 
least a corresponding subset of the second multi-factor authentication data 
includes using an authentication processor separate from a main processor. 

20. A method comprising: 

generating at a requestor a request to authenticate a user; 

performing a bi-lateral authentication process to bi-laterally authenticate a 
user authentication sub-system and the requestor; and 

authenticating a user with the user authentication sub-system prior to 
granting access to a resource if the sub-system and the requestor are bi-laterally 
authenticated. 

21 . The method of claim 20 wherein performing the bi-lateral 
authentication process includes exchanging data encrypted with previously 
exchanged keys. 
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22. The method of claim 20 wherein authenticating a user with the user 
authentication sub-system includes authenticating a user with an operating 
system-independent user authentication sub-system. 

23. A method comprising: 

in response to receiving a request for user authentication, checking a 
platform configuration register to determine if a platform configuration has 
changed since a previous time the platform configuration register was checked; 
and 

performing a user authentication process with a user authentication sub- 
system only if it is determined that the platform configuration has not changed. 

24. The method of claim 23 wherein performing the user authentication 
process with the user authentication sub-system includes 

receiving first multi-factor authentication data at the user authentication 
sub-system; 

decrypting second multi-factor authentication stored in a separated non- 
volatile memory; and 

determining whether the first multi-factor authentication data matches at 
least a corresponding subset of the second multi-factor authentication data. 

25. The method of claim 24 wherein receiving first multi-factor 
authentication data includes receiving at least one biometric data type. 
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26. The method of claim 24 further comprising 

controlling access to a resource based on whether the first multi-factor 
authentication data matches at least a corresponding subset of the second multi- 
factor authentication data. 

27. The method of claim 26 wherein controlling access to a resource 
includes controlling access to at least one of an enterprise resource, an 
application and a computer system. 

28. A machine-accessible storage medium storing data that, when 
accessed by a machine, causes the machine to perform a method including: 

requesting an autonomous user authentication sub-system to perform a 
user authentication process; 

requesting a user to provide first multi-factor authentication data; and 
determining whether to grant access to a resource based on whether the 
user authentication sub-system determines that the first multi-factor 
authentication data matches at least a corresponding subset of second multi- 
factor authentication data encrypted and stored in a separated non-volatile 
memory of the sub-system. 

29. The machine-accessible storage medium of claim 28 wherein 
requesting the user to provide first multi-factor authentication data includes 
requesting at least one biometric input data type. 
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